#!/usr/bin/bash
aa=$(pwd)
cd /etc/openvpn/cerdir
/soft/easyrsa/easyrsa build-client-full $1 nopass
user_private_key=$(cat /etc/openvpn/cerdir/pki/private/$1.key)
user_cert=$(grep -A100 "BEGIN" /etc/openvpn/cerdir/pki/issued/$1.crt) 
ca_crt=$(cat /etc/openvpn/cerdir/pki/ca.crt)
ta_key=$(cat /etc/openvpn/cerdir/ta.key)
ssh root@172.16.50.250 "rm -rf /etc/openvpn/cerdir" >/dev/null 2>&1
scp -rdp /etc/openvpn/cerdir root@172.16.50.250:/etc/openvpn/ >/dev/null 2>&1

cat <<EOF> $aa/$1.ovpn
client
dev tun
proto udp4
remote net.niceyh.com 2294
remote net.niceyh.com 3394
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
explicit-exit-notify 1
verify-x509-name vpn-server name   # ovpn server common name
auth-nocache
tls-version-min 1.2
route-nopull
route 172.16.0.0 255.255.0.0 vpn_gateway 
#auth SHA256
#tls-cipher   xxxxxxxxxxx
#log-append /tmp/openvpn11.log
#daemon
<key>
$user_private_key
</key>
<cert>
$user_cert
</cert>
<ca>
$ca_crt
</ca>
key-direction 1   # 增加个tls的静态密钥，在建立通道时，防止dos攻击，1表示客户端
<tls-auth>
$ta_key
</tls-auth>
EOF
